System, method and computer program product for assessing risk of identity theft

ABSTRACT

In one embodiment, this invention analyzes demographic data that is associated with a specific street address when presented as an address change on an existing account or an address included on a new account application when that address is different from the reference address (e.g., a credit bureau type header data). The old or reference address and the new address, the new account application address or fulfillment address demographic attributes are gathered, analyzed, compared for divergence and scaled to reflect the relative fraud risk.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims the priority from U.S. ProvisionalApplication No. 60/423,298, filed on Nov. 1, 2002, which is herebyincorporated by reference in its entirety.

TECHNICAL FIELD

[0002] This invention relates, in general, to apparatuses and methodsfor identifying account fraud. In particular, this invention relates todetecting fraud and assisting in fraud prevention due to identity theftincluding to but not limited to address change, account takeover fraud,and new account application fraud. In addition, this invention may bepracticed using batch or real-time, online processing or using customerhosted software applications.

BACKGROUND OF THE INVENTION

[0003] Numerous businesses, such as financial institutions, departmentstores, fulfillment businesses, on-line business, and businesses makingsales over the telephone face the challenge of protecting the businessfrom customers attempting to defraud it. These businesses regularlyhandle thousands of accounts from its users or consumers. Such accountsmay include instant credit or credit accounts with a department store orother retail outlet, or accounts involving checks, credit cards, debitcards, or ATM cards of a bank, credit or other financial institution.

[0004] Identity theft may include account takeover, wherein a thiefsteals the identity of an individual and then uses that information totake over ownership of that individual's account; or new account fraud,wherein the identity thief uses stolen information to open new accountsin another person's name.

[0005] Conventional methods for detecting identity theft when openingnew accounts or for modifying existing accounts may be problematic.Currently, to detect identity theft type fraud, businesses have usednegative databases of suspicious addresses like mail receiving agents orknown fraud addresses. This method is useful only if there is knownnegative information. Often, delivery addresses are not included in anegative database.

[0006] In the case of new account application fraud, contemporarydetection methods focus on the verification of data elements that areascertainable by the criminal. These approaches seek to verify theidentity of the new account applicant based on the information that isprovided in the application process. There are typically threemethodologies used in the new account verification process. First,businesses check negative file resources to see whether there isnegative information associated with a data element e.g., the providedsocial security number belongs to a deceased person. Second, businessesattempt to verify the applicant's identity through the use of matchingthose application data elements to independent data sources which oftenonly serve to corroborate the stolen information that the crook isusing. Third, there are logical references like; does the driver'slicense number fit the format from the issuing state? These techniquesare generally used for both “in and out of wallet solutions.” “Out ofWallet” verification adds a level of complexity to the criminalenterprise through the presentation questions based on data nottypically stored in a wallet or purse. For instance, asking a person toprovide a the maiden name of his/her mother.

[0007] As recognized by the present inventors, what is needed is asystem, method, and computer program product for detecting identityfraud theft using a method that may either supplant or complement someof the methods discussed above. There is a further need for a system,method and computer program that identifies both account takeoveridentity theft and new account identity theft.

SUMMARY OF THE INVENTION

[0008] In light of the above and according to one broad aspect of oneembodiment of the invention, disclosed herein is a system and methodsfor detecting fraud in account requests such as requests for newaccounts, requests for change of address of existing accounts, andrequests for media such as bank checks, duplicate credits cards, ATMcards, debit cards, past financial statements, and the like. In oneexample, embodiments of the present invention may utilize demographicdata based on addresses associated with the account to determine whetheran account request may involve identity theft fraud, and scores may begenerated indicating the likelihood that the account request may involveidentity theft fraud.

[0009] In one embodiment, this invention analyzes demographic data thatis associated with a specific street address when presented as anaddress change on an existing account or an address included on a newaccount application when that address is different from the referenceaddress (e.g., a credit bureau type header data). The old or referenceaddress and the new address, the new account application address orfulfillment address demographic attributes are gathered, analyzed,compared for divergence and scaled to reflect the relative fraud risk.

[0010] Another embodiment of the present invention relates to a methodfor assessing a risk of fraud. The method comprises receiving at leastinformation relating to a first address relating to one of an accountholder or an applicant; receiving information relating to a secondaddress; and measuring demographic differences between the first andsecond addresses.

[0011] Another embodiment of the present invention relates to a methodfor assessing a risk of identity theft fraud with respect to newapplications. The method comprises receiving first address informationrelating to an applicant for an account; and using demographic datarelating to the address information.

[0012] Another embodiment of the present invention relates to a methodfor detecting a risk of identity theft fraud. The method comprisescombining warm address, known fraud address information, USPSDeliverable Address File, NCOA files with address specific, singlepoint, demographic information; and coupling differential informationrelating to the addresses to predict a risk of fraud for at least one ofaccount takeover new account application and fulfillment fraud.

[0013] Another embodiment of the present invention relates to a systemfor assessing a risk of fraud. The system includes a processor, memory;computer instructions operable by the processor to append data to atleast one variable used in assessing a risk of identity theft fraud;computer instructions operable by the processor to analyze differencesin demographic data for two different street address; computerinstructions operable by the processor to calculate a score indicativeof a level of risk of fraud; and computer instructions operable by theprocessor to output an assessment of a risk of level of fraud. Incalculating the score, the formula used is of the form:

Y=A+B1*x1+B2*x2+B3*x3 . . . +Bn*xn

[0014] where Y is the dependent or outcome variable is the result usedto predict the risk of identity theft fraud, A is a constant value, B1 .. . Bn are the coefficients or weights assigned to the independentvariables, and x1 . . . xn are the independent variables.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015]FIG. 1 is a block diagram of an overall process in accordance withan embodiment of the present invention.

[0016]FIG. 2 illustrates an example of logical operations for processingnew account requests, in accordance with an embodiment of the presentinvention.

[0017]FIG. 3 is a block diagram showing the address information used inan embodiment of the present invention to detect identity theft viaaccount takeover or via applications for new accounts.

[0018] FIGS. 4-5 illustrate examples of logical operations forprocessing new account requests as illustrated in FIG. 2, in accordancewith an embodiment of the present invention.

[0019]FIG. 6 illustrates an example of the logical operations fordetermining a risk of identity theft fraud, in accordance with anembodiment of the present invention.

[0020]FIG. 7 is a block diagram showing logical operations for appendingcertain information to addresses in performing analysis for determininga risk of identity theft fraud, in accordance with an embodiment of thepresent invention.

[0021]FIG. 8 illustrates another example for processing new accountrequest, in accordance with an embodiment of the present invention.

[0022]FIG. 9 illustrates an example of logical operations for processingrequests to take over an account, in accordance with an embodiment ofthe present invention.

[0023]FIG. 10 illustrates another example of logical operations forprocessing a request to take over an account, in accordance with anembodiment of the present invention.

[0024] FIGS. 11-12 illustrate examples of operations of FIGS. 9-10, inaccordance with an embodiment of the present invention.

[0025]FIG. 13 illustrates another example of logical operations forprocessing a request to take over an account, in accordance with anembodiment of the present invention.

[0026] FIGS. 14-15 illustrate examples of logical operations for FIG.13, in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION

[0027] The present invention generally relates to a system and methodfor detecting or assessing the risk of identity theft fraud. The presentinvention will be described in the context of detecting or assessing therisk of identity theft fraud in two contexts: new account applicationfraud and account takeover fraud. However, the present invention is notlimited to only detecting these type of fraud schemes.

[0028]FIG. 1 shows the general steps used in an embodiment of thepresent invention for detecting fraud. As shown in block 10, new addressinformation is obtained. In the context of a new account application,this may be the address provided on the application and in the contextof takeover of an account, this may be the new address provided that isto replace the current address on the account. As shown in block 12,this new street address information is compared to a reference address(which may be an address obtained from a credit report for the person orthe current address prior to the change of address). Next, as shown inblock 14, demographic data associated with the addresses is gathered andanalyzed. As shown in block 16, an assessment of relative risk ofidentity theft fraud is made based on the analysis. As such, the presentinvention analyzes demographic data that is associated with a specificstreet address when presented as an address change on an existingaccount or an address included on a new 10 account application when thataddress is different from a reference address (e.g., whether provided bythe applicant or obtained from a credit bureau). For the two addresses,demographic attributes are gathered, analyzed, compared for divergenceand scaled to reflect the relative risk of identity theft fraud. Riskmay be expressed in a number of ways. In one embodiment, risk isexpressed as an upper bound numerical score from 1 to 100 that isreturned with reason codes to the customer for follow up.

[0029] One advantage to the present invention's use of addressinformation is that an address is the one element that a criminal cannotmanipulate. That is, when a criminal steals an identity, the criminalmay be able to obtain identity information relating to the victim.However, the criminal cannot receive mail at the victim's house.Consequently, the criminal needs to use an address where he/she canreceive mail (e.g., to obtain media or goods). As such, the presentinvention compares addresses. The present invention recognizes thatthere are demographic differences between addresses. For instance, oneaddress may have an upscale socio-economic demographic as compared tothe other address that has a more downscale socio-economic demographic.By using street address information as the basis for gathering,comparing and analyzing demographic data, the present invention useselements that can be independently verified and analyzed to determine arisk of identity theft. Also, in addition to the demographic data,additional data elements such as warm address information orundeliverable address information may be used to assist in assessing therisk of identity theft fraud. Within the context of this document,“Account” as used in this application includes its ordinary meaning andis also intended to cover any business relationship where there isfinancial risk on part of the product or service provider including butnot limited to relationships of credit, debit brokerage, retail,non-face to face fulfillment activities (e.g., on-line sales).

[0030] In general, the risk assessment is performed when a business orservice user sends/transmits the old or reference address and the new(requested changed) or new account application address with otheridentifying information for use by the software application embodyingthe present invention. Input data is matched to address specificdemographic data which in turn is delivered to the decision engine toproduce a risk score. Data processing can occur in batch, real timeonline or on customer or processor hosted software application.Communications can occur through telephone, data line, internet ortape/disk or other commercially available method. The application outputmay be returned to the service user via an internet accessed system,telephone, data line, or other commercially available method.

[0031] In general, the present invention uses statistical modeling ofnegative and demographic/socio-economic data elements associated with astreet address to identify suspected identity theft fraud activity whenthere is a change in address or an address on a new application that isdifferent from a reference address (e.g., one provided by the applicantor one obtained from a third party such as a credit bureau). As such,this invention may be used to detect identity theft fraud in existingaccounts, new credit account applications or other business risksassociated with address manipulation. The process generally analyzes thedifferences in demographic data between an old address or referenceaddress and an address on a new application or an address change on anaccount to a new address. If a reference address is not provided by thenew applicant or is not the address that was changed to a new address,then a reference address may be a credit bureau header data or anaddress secured from a third party database. Additionally, othernegative and logical data sources are used in the risk evaluation, suchas warm address information, driver's license syntax specific to astate, or the year a social security number is issued is compared to thedate of birth for rationality. Analysis may performed through the use ofregression models, neural network and expert rules based technology. Ascore that scales risk is developed to identify the likelihood ofidentity theft fraud. The score is returned along with supportiveinvestigative data to the customer/business for use in determining thelevel of risk it is willing to take in entering into a businessrelationship with the investigated person. Consequently, an embodimentof the present invention provides businesses with the opportunityinvestigate a potential identity theft fraud and take steps to preventeconomic loss. As will be discussed, in the preferred embodiment, thepresent invention is implemented in software.

[0032] Referring to FIG. 2, the method for detecting new accountapplication fraud will be described. FIG. 2 illustrates an example oflogical operations for detecting fraud in the context of receiving a newaccount request. As shown in block 20, a new request is receivedincluding the client data, and the received data is reformatted,normalized, or otherwise processed so that the data can be furtherprocessed. An input data stream or data inputs from the client/customerare delivered to the host system for processing. Examples of the type ofmessage elements or data inputs include the following: New AccountApplication/Address Change (New Address) data inputs Customer identifierFirst name Transaction type Middle initial/name Street directional Lastname Street name Surname Unit number Account or reference number Cityname Address type code State Name Social Security Number Zip Code plus 4Date of Birth Driver's license information Loss potential - for takeoveronly

[0033] New Account Reference Address/Address Change Old Address Customeridentifier First name Transaction type Middle initial/name Streetdirectional Last name Street name Surname Unit number Account orreference number City name Address type code State name Social SecurityNumber Zip Code plus 4 Date of Birth Driver's license information

[0034] Account Access Device Requests, Normal or Emergency (Credit/DebitCards, Checks, PIN) requests input file (Address change process only)Transaction type State name Media type Zip Code plus 4 Request typeFirst name Account number Middle initial/name Street directional Lastname Street name Surname Unit number Address type code City name Losspotential - Open to buy/balance Driver's license information

[0035] However, depending on the implementation, not all of the dataelements need to be sent by the client. In one embodiment, for assessingrisk of new account application identity theft fraud, input dataincludes name and address listed on the new application. In oneembodiment, for assessing risk of account takeover identity theft fraud,input data includes name, current address or reference address, and theaddress to which it was changed.

[0036] In general, information that may be provided by a business thatwants an assessment of risk of identity theft may provide the type oftransaction (e.g., new application, change of address, etc.),information to identify the person that is to be investigated (e.g.,name, social security number, date of birth etc.), address informationas will be discussed with reference to FIG. 3, account information, andwhether there has been a media request (e.g., a request for checks,credit cards, PIN number, or other items of value).

[0037]FIG. 3 is a block diagram showing two forms of identity theftfraud (block 150): takeover identity theft fraud (block 152) and newapplication identity theft fraud (block 154). In general, accounttakeover occurs when a person (e.g., a criminal) poses as the customerof a business and changes the address from the customers' address to theanother address (i.e., the criminal's address). The criminal then hadmedia, such as checks, credit cards, PIN number, or other items of value(including other goods) to the new/criminal address. The criminal thenmay commit fraud from the unauthorized use of the financial instrumentor benefits from the illegally obtained goods. New application identitytheft fraud involves a criminal submitting a new application thatincludes information of another and attempts to obtain media or othergoods and services from the business.

[0038] In the account take over situation, usually there is an addresschange to a new address. The current address prior to the address changemay be referred to as the old address, the reference address, or theFROM address. The new address (i,e., the address that the referenceaddress was changed to) is sometimes referred to as the TO address.Similarly, in the new application situation, the reference address isthe old address or FROM address. It may be provided by the applicant orit may be obtained from a third party such as a credit bureau. Also, inthe new application, address provided on the new application may bereferred to as the new address or TO address.

[0039] Usually in the takeover situation, because of the address change,the business that is going to have an assessment made of the risk ofidentity theft fraud has an old address or reference address and a newaddress. In the new application situation, usually, a business that isgoing to have assessment made will have the address stated on theapplication but may not have a reference address. It is more common touse a third party source to obtain a reference address for analysis of arisk of identity theft in a new application situation. However, thepresent invention may be used when, in a new application situation, areference address is provided by the business that wants to analyze theapplicant for identity theft fraud. Some of the information provided bythe business in requesting an analysis for the risk of identity theft isto provide other information such as a social security number to assistin obtaining information a reference address for the person named on theapplication from a third party source.

[0040] An embodiment of the present invention uses an input data streamfrom the client/customer in a processing scenario or delivers requireddata inputs to the customer hosted software application. As shown above,data inputs for account takeover may include a customer name, accountnumber and the old or FROM address, and new or TO address. As shownabove, new account application input data may include name,institutional reference number, reference address and applicationaddresses. If the reference address is not available, a third partyaddress database will be consulted. Emergency “Over night” replacement”processing inputs may include name, address, account or referencenumber, account type and open to buy/available credit balance.

[0041] As will be described, input data is compared against the warmaddress, known fraud data, USPS deliverable Address File and the NCOAfiles. The outcomes of these comparisons are appended to the inquiryrecord. The inquiry is then matched to the demographic data file andappended to the inquiry record. The inquiry record is written to theinquiry log.

[0042] At block 22, a determination is made as to whether a referenceaddress is present. If a reference address is provided in the clientdata, then such address is also standardized (block 26). Otherwise. areference address is appended to the data received (block 24). If thereference address is not available, a third party address database maybe consulted. For instance, the reference address may be obtained from acredit bureau and appended to the data received. Then, the appendedreference address is standardized (block 26)

[0043] In one embodiment, if the reference address and the new accountapplication address are the same the inquiry will be logged to aninquiry database and no further action will be taken. In anotherembodiment, if the reference address and the new account applicationaddress are the same, the inquiry will be logged to an inquiry databaseand the address will be checked to make sure it is not a warm address orthat it is not an undeliverable address. Also, when the address on a newapplication matches the reference address, then the business may notwant the analysis conducted.

[0044] If there is a difference between the new account applicationaddress and the reference address, then additional information such asthe information that will be described with respect to blocks 30, 40,50, 60, 70, and 80 will be appended to both addresses (block 28). Allinformation is appended to both the reference address and to the addressprovided in the application (block 28). In one embodiment, theinformation appended includes demographic data (block 30), U.S. postalservice data (block 40), other data (50), previous history file data(block 60), client fraud data (block 70) received from a particularclient, and address velocity data (block 80).

[0045] With respect to FIG. 7, a brief description of the logicaloperations performed in determining the data appended from demographicdata (block 30). In selecting demographic data to append to an address,first an attempt is made to match the name and address (block 27). Ifthere is a match, then the demographic data is the appended from thatfile. However, if there is not a match for both name and address, thenthere is an attempt made to match the address. If a match is made, thenthe demographic data for the address is appended. Also, for the areadefined by a Zip+4 or Zip code+4, a demographic data for that area isappended. For instance, if information related to length of residencewas being appended to each address, then first, a search would be madeto match the name and address to the file containing such information.If a match is made, the length of residence data from that file would beappended. If such a match is not made, then an attempt would be made tomatch the address only. If there is a match, then the length ofresidence for the last person at the address would be appended. Also,the length of residence for the residences in the Zip+4 would beappended (or an average of the length of residences for the residencesin the Zip+4 would be appended).

[0046] Demographic data may come from a number of national databases.Such data is compiled by companies such as Experian, Equifax, InfoUSA,and Acxiom. These databases include publicly available demographic datafrom sources such as vehicle registration data, county assessorinformation, warranty cards, and department of motor vehicle data amongother sources. These databases may be accessed to obtain demographicdata information. As shown in FIG. 3, demographic data appended to theaddresses as shown in block 30 may include appending demographic datarelated to income (block 32), demographic census data (block 34),demographic data relating to housing characteristics (block 36) and datarelating to household membership characteristics. Example of such datainclude: Census/demographic data for reference/application/changeaddress Address type - residence, single family Household incomeapartment, business Length of residence Owner/renter Number of childrenSingle family/renter Deliverable address Primary and secondary namesLongitude/latitude Age, primary and secondary Neighbor wealth Gender,primary and secondary Single family dwelling value Occupation, primaryand secondary Relocation velocity Marital status Education Number ofadults Vehicles

[0047] Further examples of demographic data related to income include:

[0048] RESEARCH—INCOME ESTIMATES

[0049] EXPENDABLE INCOME RANK

[0050] NET WORTH RANK

[0051] WEALTHFINDER CODE

[0052] POTENTIAL INVESTOR CONSUMER SCORE

[0053] REVOLVER MINIMUM PAYMENT MODEL

[0054] BUYER BEHAVIOR CLUSTER CODE

[0055] INTERNET USAGE MODEL

[0056] HIGH TECH HOUSEHOLD INDICATOR

[0057] HOUSEHOLD OWNS STOCKS OR BONDS

[0058] Examples of demographic data related to housing characteristicsinclude:

[0059] LIKELIHOOD HOME IS OWNED OR RENTED

[0060] DELIVERY UNIT SIZE

[0061] HOMEOWNER INDICATOR

[0062] AGE OF HOME SOURCE CODE

[0063] AGE OF HOME

[0064] ESTIMATED HOME VALUE CODE

[0065] LOAN-TO-VALUE RATIO RANGE CODE

[0066] HOME LOAN AMOUNT

[0067] MORTGAGE AMOUNT SOURCE CODE

[0068] MORTGAGE BALANCE CODE

[0069] HOME EQUITY ESTIMATE

[0070] HOMEOWNER SOURCE CODE

[0071] HOUSEHOLD HAS MOVED FROM ADDRESS

[0072] RESEARCH—ADDRESS VERIFICATION

[0073] ADDRESS VERIFIED BY ANY DICTIONARY

[0074] PRIMARY SOURCE OF NAME AND ADDRESS

[0075] RESEARCH—SOURCE FLAGS/RECENCY

[0076] DATE

[0077] LENGTH OF RESIDENCE IN YEARS.

[0078] Examples of demographic data related to household membershipcharacteristics include:

[0079] HEAD OF HOUSEHOLD AGE CODE

[0080] HOUSEHOLD MEMBER 1 GENDER CODE

[0081] HOUSEHOLD MEMBER 1 TITLE CODE

[0082] HOUSEHOLD MEMBER 1 GIVEN NAME

[0083] HOUSEHOLD MEMBER 1 MIDDLE INITIAL

[0084] HOUSEHOLD MEMBER 1 SURNAME

[0085] HOUSEHOLD MEMBER 1 SURNAME SUFFIX

[0086] Also, the similar information about other members of thehousehold may be included.

[0087] Similarly, as shown in FIG. 3, United States Postal Service dataappended to each address as shown in block 40 may include application ofZip code+4 address standardization programs (block 42), national changeof address (block 44), delivery point validation and service (block 46),locatable address conversion system (block 48), NES/Nixie (block 52),delivery sequence file (block 54), and deceased, pandering andsuppression files (block 56). The deliverable address file and thenational change of address file are searched to match the address.Examples of the delivery validation file and the national change ofaddress file is as follows: U.S. Postal Service Deliverable Address FileStreet number Unit number Street directional City name Street name StateName Zip Code plus 4

[0088] National Change of Address - USPS Street number Unit numberStreet directional City name Street name State Name Zip Code plus 4Confirmed change of address by USPS Move date

[0089] The following additional information may be gathered from theUnited States Postal Service data:

[0090] STREET DESIGNATOR

[0091] POST DIRECTION

[0092] UNIT TYPE

[0093] UNIT NUMBER

[0094] ZIP CODE

[0095] ZIP+4 CODE

[0096] DELIVERY POINT AND CHECK DIGIT

[0097] CARRIER ROUTE

[0098] ZIP+4 MATCH LEVEL

[0099] PRIMARY NUMBER IS A BOX

[0100] ZIP CODE STANDARDIZATION

[0101] CITY CHANGE INDICATOR

[0102] LOT

[0103] STATE CODE

[0104] COUNTY CODE

[0105] LACS INDICATOR

[0106] FINALIST UNIT RETURN CODE

[0107] VENDOR SOURCE

[0108] CITY TYPE INDICATOR

[0109] RECORD TYPE FROM ZIP+4 FILE

[0110] Appendage

[0111] MATCH LEVEL

[0112] MOVE TYPE

[0113] EFFECTIVE MOVE DATA (YYYYMM)

[0114] UNIT TYPE

[0115] UNIT NUMBER

[0116] CITY NAME

[0117] STATE ABBREVIATION

[0118] ZIP CODE

[0119] ZIP+4 ADD-ON CODE

[0120] DELIVERY POINT AND CHECK DIGIT

[0121] CARRIER ROUTE

[0122] ZIP+4 MATCH LEVEL

[0123] PRIMARY NUMBER IS A BOX

[0124] LACS RECORD TYPE

[0125] MULTI SOURCE LEVEL

[0126] NCOA MATCH FOOTNOTES

[0127] INDIVIDUAL MATCH LOGIC REQUIRED

[0128] NIXIE MATCH

[0129] HOUSE NUMBER MISSING

[0130] CLIENT RECORD MISSING BOX

[0131] ADDRESSES DO NOT MATCH

[0132] STREET NAME DOES NOT MATCH

[0133] UNIT NUMBER MISSING IN CLIENT

[0134] UNIT NUMBER TRANSPOSITION

[0135] UNIT NUMBER MISMATCH

[0136] CLIENT MISSING 1^(ST) NAME

[0137] 1^(ST) NAME MATCHES 1^(ST) INITIAL

[0138] MIDDLE NAME/INITIAL MISMATCH

[0139] GENDER MISMATCH

[0140] TITLE/SUFFIXES DO NOT MATCH

[0141] INDIVIDUAL MOVE AND 1^(ST) NAMES DO NOT MATCH

[0142] INDIVIDUAL MATCH LOGIC AND 1^(ST) NAMES DO NOT MATCH

[0143] SURNAME MATCH TO GEN. DELIVERY

[0144] Appendage

[0145] MATCHED TO ZIP+4 FILE

[0146] NOT MATCHED TO ZIP+4 FILE

[0147] ALL COMPONENTS MATCHED TO DPV

[0148] DPV MATCHED BUT SECONDARY NUMBER INVALID

[0149] DPV MATCHED HIGHRISE DEFAULT

[0150] (MISSING SECONDARY

[0151] PRIMARY NUMBER MISSING

[0152] PRIMARY NUMBER INVALID

[0153] MISSING PO, RR, HC BOX NUMBER

[0154] MATCHED TO CMRA AND PMB,

[0155] DESIGNATOR PRESENT

[0156] MATCHED TO CMRA AND PMB,

[0157] DESIGNATOR NOT PRESENT

[0158] DPV CONFIRMATION INDICTOR

[0159] INVALID ADDRESS PO, RR, OR HC

[0160] BOX NUMBER INVALID

[0161] FUTURE EXPANSION

[0162] ZIP+4 MATCH LEVEL

[0163] ADDRESS SORT SEQUENCE NUMBER

[0164] VACANT INDICATOR

[0165] SEASONAL INDICATOR

[0166] RESIDENTIALJBUSINESS INDICATOR

[0167] THROWBACK INDICATOR

[0168] DELIVERY TYPE CODE

[0169] DELIVERY POINT DROP INDICATOR

[0170] NUMBER OF DELIVERIES AT THE DROP

[0171] LOCATION ADDRESS CONVERSION

[0172] INDICATOR

[0173] NO STATISTICS INDICATOR

[0174] Appendage

[0175] ADDRESS SOURCE CODE

[0176] ADDRESS DELIVERY CODES

[0177] PANDER CODE

[0178] LOCAL ADDRESS LINE

[0179] UNIT INFORMATION LINE

[0180] SECONDARY ADDRESS LINE/

[0181] URBANIZATION CODE

[0182] LONG CITY NAME

[0183] ZIP CODE

[0184] ZIP+4 CODE

[0185] MAILABILITY CODE

[0186] MILITARY ZIP CODE

[0187] OPAC MATCH INDICATOR

[0188] NDI AFFIRMED APT INDICATOR

[0189] SECONDARY ADDRESS INDICATOR

[0190] POSTAL COUNTY CODE

[0191] LONG CITY NAME INDICATOR

[0192] CARRIER ROUTE CODE

[0193] LINE OF TRAVEL INFORMATION

[0194] LOT SORTATION NUMBER

[0195] PRESTIGE CITY NAME USED

[0196] ZIP/ADD-ON/DELIVERY POINT

[0197] Appendage

[0198] MATCH CODE

[0199] Appendage

[0200] MATCH CODE

[0201] ZIP PLUS FOUR CODE (4 DIGITS)

[0202] ZIP+4 MATCH LEVEL

[0203] ADDRESS DSF GROUP CODE

[0204] USPS DELIVERY SERVICE TYPE

[0205] CARRIER ROUTE CODE

[0206] DELIVERY POINT

[0207] 1990 CENSUS CODES

[0208] ADDRESS LOCATION TYPE

[0209] LOCATION (DWELLING UNIT) ID

[0210] ADDRESS TYPE

[0211] ROUTE TYPE

[0212] ROUTE NUMBER

[0213] BOX TYPE

[0214] BOX NUMBER

[0215] UNIT TYPE

[0216] UNIT NUMBER.

[0217] Continuing to refer to FIG. 3, other data may be appended tothese addresses (block 50). Other data may include information from warmaddress files comprising high risk addresses like mail receiving agents,jails, prisons, hotels and the like (block 58). Warm address filecomponents may include: Warm Address File Components Address type:Street directional Mail receiving agent Street name Other high risk Unitnumber Hotel/Motel City name Street number State Name Zip Code plus 4

[0218] Usually, an attempt is made to match the address to an address inthe warm address file. If there is a match, then in one embodiment, thetype (e.g., a description on the place where the mail would be deliveredsuch as a prison) of address would be appended.

[0219] Other data may include non-client fraud address files comprisingthird party sourced fraud address records (block 60). Other data mayfurther include Department of Justice county level crime statistics thatscale the geographic propensity to crime frequency. Other similarinformation may be appended to the addresses. This information may besearch to match an address, and append the information if there is amatch.

[0220] Also, as shown in FIGS. 2 and 5, any data from a client fraudfile may be appended to the addresses (block 70). This data may becontributed by the business making the request (block 66). That is, thebusiness provides fraud address data records. An example of such arecord is as follows: Customer/Business Maintained Fraud/High RiskAddress File First name Street name Middle initial/name Unit number Lastname City name Surname State Name Street number Zip Code plus 4 Streetdirectional

[0221] These records may be from on-line case management system thathave stored accessible addresses for confirmed fraud incidents. Thisinformation will be used in the process for determining a risk of fraud,which may be indicated by a score.

[0222] Also, information is derived relating to inquiry activityrelating to both new address and the reference addresses. Thisinformation is stored and updated in an address velocity file.Information is appended to the addresses relating to frequency ofinquiries. (block 80). Also, a previous history file is reviewed forinformation relating to the new application and reference addresses.This information may be appended to the addresses (block 60). Thisprevious history file includes previously scored addresses. This filemay include date of scoring, address scored, and the score. This filemay be updated to reflect any scoring performed on an address. Falsepositive rates are improved through the use of warm address data,customer maintained known fraud address file coupled with the U.S.Postal Service National Change of Address Database. These data sourceswill be used in the score development process.

[0223] As shown in FIG. 2, once information has been appended to theaddresses, then a score is created based on all the data (block 82).Generally, statistical models are used to derive a score, which is usedto predict the risk of fraud. At block 82, a score is created based onthe data associated with the request and the appended data. FIG. 6 showsthe logical operations for determining a score in accordance with oneembodiment of the present embodiment. As shown is FIG. 6, as shown inblock 180, the first step is to analyze the demographic data appended toeach of the addresses and derive information used to predict the risk offraud. Next, as shown in block 182, a score is calculated based on theweights placed for each of the selected variables. In one embodiment ofthe present invention the following variables have been selected to beused in the model to predict the risk of fraud: (1) a variable that isbased on the change in the financial make-up of the two addresses; (2) avariable that identifies records that were confirmed through third partydata to match the name at a given address; (3) a variable that is basedon the home value between the two addresses; (4) a variable that isbased on the distance of the move for the change of address; (5) avariable that is based on whether the type of housing (e.g., apartment,non-apartment, single family home) has changed for the current addressin comparison with the reference address or old address; (6) a variablethat is based on whether the application address or the new address is abuilding (i.e., not an apartment or a home, rather something other thanan apartment or a home); (7) a variable based on whether the newapplication address, the new address or current address is a warmaddress; (8) a variable that is based on the difference in internetusages for the Zipcode+4 area for the two addresses; and (9) a variablethat is based on the average length of stay at the residence at theZip+4 area code for the reference address or the old address (when thereis an address change requested). Then, the second step is to use themodel to obtain a score to predict the risk of fraud. Each of thesevariables will be discussed in turn.

[0224] The first variable is based on the change in the financialmake-up of the two addresses. In one embodiment of this model, thisvariable is called “Valuel.” This variable analyzes the change in thefinancial make-up of the reference address, the old address (e.g., inaddress change or account takeover situations), or FROM address (e.g.,old address) and new application address, the new address, or the TOaddress (e.g., the address to which it has been changed). It is acomposite of three demographic variables: Income, Net Worth and HomeOwnership. In one embodiment, to derive the composite information thefollowing steps are used. First, the difference in income is determined.As described with respect to FIG. 7, to determine the difference inincome, for both addresses (e.g., new application address and referenceaddress in risk of fraud relating to a new application or as will bedescribed later, reference or old and new addresses in a takeoversituation), income for the respective address is appended by matchingname and address to the appropriate demographic file. If there is not amatch by both name and address, then a search is made to match at byaddress only to find income. If there is not a match by address only,then the Zip+4 for an address is used and the average income for thatZip+4 is appended to the address. If there is still not a match, thenthe mean income for all individuals is assigned. For instance, the meanincome for all individuals may be assigned, when a Zip+4 for aparticular address cannot be determined or when demographic data cannotbe located for the address of a Zip+4 area.

[0225] Once, a value has been appended to each address for income, thenthe difference in income between the two addresses is calculated usingthe following formula:

DF_INCOME=INCOME(FROM)−INCOME(TO)

[0226] Where DF_INCOME refers to the difference in income between thetwo addresses, INCOME(FROM) refers income appended to the referenceaddress or old address, and INCOME(TO) refers to income appended to newapplication address or the new address.

[0227] Next, the difference in net worth ranking is constructed. Todetermine the difference in net worth, for both addresses, net worthranking is appended by first trying to match by name and address to thedemographic file. If a match is not found, then match by address only isattempted to find net worth ranking. If there is still no match, then amatch is made to the Zip+4 of the address and the average net worthranking for that Zip+4 is appended. If there is still no match, then themean net worth ranking for all individuals is appended to the address.For instance, as with income, the mean net work ranking for allindividuals may be appended when a Zip+4 for a particular address cannotbe determined or when demographic data cannot be located for the addressof a Zip+4 area.

[0228] Once, a net worth value has been appended for both addresses,then the difference in net worth between the two addresses is calculatedas follows:

DF_NETWR=NETWR(FROM)−NETWR(TO)

[0229] DF_NETWR refers to the difference in net worth. NETWR(FROM)refers to the net worth of the reference address or old address andNETWR(TO) refers to the net worth of the new application address or thenew address.

[0230] Next, the difference in homeownership is constructed. In order todetermine the difference in homeownership, for both addresses, ahomeowner indicator is appended to both addresses by matching name andaddress to the appropriate demographic file. If there is not match, thena homeowner indicator is appended by matching by address only to findhomeowner indicator. If there is still no match, the averagehomeownership percentage for that Zip+4 is appended. If there is stillno match, the mean homeowner percentage for all individuals is assigned.For instance, as with income, the mean homeowner percentage for allindividuals may be appended, when a Zip+4 for a particular addresscannot be determined or when demographic data cannot be located for theaddress of a Zip+4 area.

[0231] Once, we have a value for both the FROM and TO address, we thencalculate the difference between the FROM and TO address as follows:

DF_HOMEON=HOMEON(FROM)−HOMEON(TO)

[0232] Where DF_HOMEON refers to the difference in homeownership,HOMEON(FROM) refers to homeownership for reference address or oldaddress, and HOMEON(TO) refers to homeownership for the new applicationaddress or new address.

[0233] Once the three difference for the income, net worth andhomeownership have been calculated, then a variable that is acombination of the three is created:

[0234] IF DF_HOMEON<=−1,

[0235] THEN VALUE1=0.00056

[0236] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0237] AND DF_NETWR<=−4.7

[0238] THEN VALUE1=0.00701

[0239] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0240] AND DF_NETWR>−4.7 and DF_NETWR<=−2.7

[0241] THEN VALUE1=0.00131

[0242] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0243] AND DF_NETWR>−2.7 and DF_NETWR<=−1.7

[0244] THEN VALUE1=0.00191

[0245] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0246] AND DF_NETWR>−1.7 and DF_NETWR<=−0.7

[0247] AND DF_INCOM<=−11,000

[0248] THEN VALUE1=0.00056

[0249] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0250] AND DF_NETWR>−1.7 and DF_NETWR<=−0.7

[0251] AND DF_INCOM>−11,000

[0252] THEN VALUE1=0.00565

[0253] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0254] AND DF_NETWR>−0.7 and DF_NETWR<=0.3

[0255] THEN VALUE1=0.00066

[0256] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0257] AND DF_NETWR>0.3 and DF_NETWR<=2.3

[0258] THEN VALUE1=0.00131

[0259] IF DF_HOMEON>−1 and DF_HOMEON<=0

[0260] AND DF_NETWR>2.3

[0261] THEN VALUE1=0.00297

[0262] IF DF_HOMEON>0

[0263] AND DF_NETWR<=5.3

[0264] THEN VALUE1=0.01894

[0265] IF DF_HOMEON>0

[0266] AND DF_NETWR>5.3

[0267] AND DF_INCOM<=37,000

[0268] THEN VALUE1=0.00275

[0269] IF DF_HOMEON>0

[0270] AND DF_NETWR>5.3

[0271] AND DF_INCOM>37,000

[0272] THEN VALUE1=0.01095

[0273] The numerical values are derived from a statistical analysisusing known methods of actual identity theft fraud data, which was usedto build this model.

[0274] The next variable identifies records that were confirmed throughthird party data to match the name at a given address. This variable istitled “MATCH.” If a match is found to the third party database(demographics) via name and address, this variable is coded as a valueof 1. If it is not confirmed, it is coded as a 0.

[0275] The next variable is based on the home value between the twoaddresses. To determine the value for this variable an analysis of thechange in the home value is performed. This variable is named“DF_HOMVL.” In one embodiment, the difference between the home value ofthe FROM address (e.g., reference address in a new application situationor the old address in takeover situations) and the TO address (e.g., thenew application address in a new application or a new address intakeover situations). For both the FROM and TO address, a home value isappended by matching by name and address to the appropriate demographicfile. If there is not a match, then the home value is appended based ona match by address only. If there is still no match, then the averagehome value for that Zip+4 of the address is appended. If there is stillno match, then the mean home value for all individuals is appended.Once, we have a value for home value for both the FROM and TO address,we calculate the difference between the FROM and TO address as follows:

DF_HOMVL=HOMEVAL(FROM)−HOMEVAL(TO)

[0276] Where DF_HOMVL is the difference in home value, HOMEVAL(FROM)refers to the home value of the address prior in time to the onereflected as the address in a new application or in a change of address,and HOMEVAL(TO) refers to the address on the new application form as thecurrent address or the new address provided in changing the address.

[0277] The next variable in the model is based on the distance of themove for the change of address. This variable is named “DF_DISTN.” Inone embodiment, this variable measures the distance of the move for thechange of address. Using the delivery point for both the FROM and TOaddress, we then determine the longitude and latitude of the deliverypoint. We then calculate the distance of the move as follows:

DF_DISTX=69.1*[TO(Latitude)−FROM(Latitude)]

DF_DISTY=69.1*[TO(Longitude)−FROM(longitude)]*COS[FROM(latitude)/57.3)

DF_DISTN=SQRT[(DF_DISTX*DF_DISTX)+(DF_DISTY*DF_DISTY)]

[0278] Where DF_DISTX refers to the change in latitude from the TO andFROM addresses multiplied by 69.1, DF_DISTY refers to the change inlongitude from the TO and FROM addresses multiplied by the cos of thelatituted of the FROM address divided by 57.3, all of which ismultiplied by 69.1, and DF_DISTN is calculated by the square root of thesum of the squares of DF_DISTX and DF_DISTY. The mathematicalcalculation is a known formula for converting latitudinal andlongitudinal information into a distance.

[0279] The next variable is based on whether the type of housing (e.g.,apartment, non-apartment, single family home) has changed for thecurrent address in comparison with the reference address or old address.This variable is called “HOMAPT.” In one embodiment, this variableindicates whether or not a person has moved from a non-apartment to anapartment. In one embodiment, if the FROM address is not an apartmentand the TO address is an apartment, this variable is coded as a 1.Otherwise this variable is coded as a 0.

[0280] The next variable is based on whether the new application addressor the new address is a building. This variable is named “BLDNG.” Thisvariable indicates whether or not the TO address is a building. In themodel, If the TO Address is a Building, this variable is coded as a 1.Otherwise this variable is coded as a 0.

[0281] The next variable is based on whether the new applicationaddress, the new address or current address is a warm address. In short,this variable indicates if the second address is “warm”. Warm addressesare addresses that are non-standard delivery addresses. This type ofaddress includes addresses such as UPS Stores, Mail Boxes, Etc.,hotels/motels, etc. The variable is named “WARMADD.” In the model, if amatch is made by TO the address to the Warm Address file, this variableis coded as a 1. Otherwise this variable is coded as a 0.

[0282] The next variable is based on the difference in internet usagesfor the Zipcode+4 area (sometimes also referred to as Zip+4) for the twoaddresses. In one embodiment, this variable measures the difference ininternet usage for the area defined by Zip+4 for the FROM address to thearea defined by the Zip+4 for the TO address. This variable is named“Z4_WEB.” In one embodiment, this information is derived as follows.First, the average internet usage is calculated for the Zip+4 area forboth the FROM address and the TO address. This data is resident on thedemographic file, where a value of 1 indicates lowest likelihood ofinternet usage and 9 indicates the highest. Then, the average value forall addresses in the specific Zip+4 area is calculated. Once the valuefor each the FROM and TO addresses is determined, the differencevariable is coded as follows:

Z4_WEB=WEBUSE(FROM)−WEBUSE(TO)

[0283] Where Z4_WEB refers to the difference is web usages for the areadefined by the Zip+4 for each of the addresses, WEBUSE(FROM) refers tothe average internet usage for area defined by the Zip+4 for the FROMaddress (e.g., the reference address in a new application situation orthe old address in a takeover situation), and WEBUSE(TO) refers to theaverage internet usage for the Zip+4 for the area defined by the TOaddress (e.g., the new application address or the new address in thetakeover situation). While average internet usage is used as themeasure, other measures such as median internet usage may be used in theappropriate model.

[0284] The last variable used in this embodiment of the model is basedon the average length of stay at the residence at the Zip+4 area codefor the reference address or the old address (when there is an addresschange requested). This variable is named “Z4_LORF.” In one embodiment,this variable measures the average length of residence for the areadefined by the Zip+4 for the FROM address. In one embodiment, thisinformation is derived as follows. First, the average length ofresidence for the area defined by the Zip+4 is calculated for the FROMaddress. This data is resident on the demographic file, where the valuesindicate the number of years a person has resided at that residence.Then, the average value for all addresses in that Zip+4 area iscalculated. The variable then indicates the average length of residencefor people living in the area defined by the Zip+4 for the FROM address.

[0285] In one embodiment, the model used to predict has nine variables.However, the model used to predict may have any number of variables.Also, the variables used may evolve based on information collected onthe characteristics of confirmed fraud accounts. Another factor that maychange the variables used relates to the evolution of methods used bythe people committing the fraud. As the methods change, the variablesmay have to be varied. However, the present invention is not limited tothe number of factors used on the types of factor used in the model topredict the risk of identity theft fraud.

[0286] Once the variables have been analyzed, the values for each of thevariables are plugged into the model. The basic formula for the model isgeneralized as follows:

Y=A+B1*x1+B2*x2+B3*x3 . . . +Bn*xn,

[0287] Where Y is the dependent or outcome variable is the result usedto predict the risk of identity theft fraud, A is a constant value, B1 .. . Bn are the coefficients or weights assigned to the independentvariables, and x1 . . . xn are the independent variables themselves. Inthe embodiment described above, the independent variables includeVALUE1, MATCH, DF_HOMVLDF_DISTN, HOMAPT, BLDNG, WARMADD, Z4WEB, andZ4_LORF.

[0288] Using known statistical methods to analyze actual data fromconfirmed identity theft fraud cases, the following coefficients weredetermined for the model: COMPUTE SCORE = 0.001554 + VALUE1 * 0.93061 +MATCH * −0.00594 + DF_HOMVL * 2.12E−09 + DF_DISTN * 1.53E−06 + HOMEAPT *0.002093 + BLDNG * 0.002334 + WARMADD * 0.078844 + Z4_WEB * −0.00021 +Z4_LORF * 0.000134

[0289] Where COMPUTE SCORE refers to the score that will be used, atleast in part, to predict a risk of identity fraud. In this method, thecoefficients were determined using ordinary least squares regression.However, other known statistical methods such as logistic regression,CHAID, CART, discriminant analysis, neural networks or the like may beused.

[0290] In one embodiment the score is between 0 and 1 with 1 being mostlikely to be fraud. However, the scale may be any range. For instance,the score may be in a range of 1 to 100. Similarly, the score may beconverted to a description. So depending on the risk tolerance of theinstitution making the inquiry, ranges may be provided that wouldindicate likelihood of identity theft fraud. For instance, on a scale of0 to 1, a 0.8 or above may be designated as a high risk for fraud andthe report to the company making the inquiry may be a descriptiveassessment based on a numerical score rather than the score itself. Thescore itself shows some level of risk of identity theft fraud. Whetherthe level of risk is acceptable is one that must include input from thebusiness as to its tolerance of this risk. Also, while the score itselfmay be used to predict whether identity theft is being perpetrated, thescore may be used with other data such as, without limitation, warmaddress files, undeliverable mail addresses, syntax of the driverslicense for a particular state to assess a risk of fraud, or the yearthe social security number was issued is compared to the date of birthfor rationality.

[0291] The model described for determining a score was developed usingconfirmed identify theft fraud data. However, while the variablesselected are based on an analysis of this confirmed fraud data, othervariables may be selected. Because the model described herein is basedon a statistical analysis of confirmed fraud data, the model takes whatis known about the past and applies it to future events. Over time,however, behaviors and relationships change. This is especially true inthe area of identity theft fraud. As fraud models and tools areeffectively deployed, the fraud migrates, creating new behaviors andrelationships. Because of this, the model may be modified by using thesame methods described herein to emphasize certain variables or addother variables from the information sources described herein. The modeldescribed herein was tested to understand how well the model “performs”or segments the entire population of applications. The effectiveness ofthe model described here is shown by the segmentation table and the ROCcurve.

[0292] In developing the model, the confirmed fraud data is scored. Thescored data was categorized into equal sized buckets or categories fromlowest to highest. Thus, the identity theft fraud rate present withineach bucket is shown by categorizing the worst 5% into the first bucket,the next worst 5% into the second bucket, etc. The following chart showsthe performance of the model. Percent Indexed Of Fraud Segment CasesRate 1 5% 908 2 5% 279 3 5% 301 4 5% 93 5 5% 88 6 5% 88 7 5% 76 8 5% 599 5% 42 10 5% 17 11 5% 21 12 5% 4 13 5% 8 14 5% 0 15 5% 8 16 5% 4 17 5%0 18 5% 0 19 5% 0 20 5% 0 TOTAL 100% 100

[0293] In this example, segment 1 is the worst 5% of scored records fromthe test data set. As shown by the chart, this segment has a fraud ratethat is over 9 times the average fraud rate for the entire population.(Note: the Indexed fraud rate is calculated by taking the segment levelfraud rate divided by the overall population fraud rate*100.)

[0294] Another way to look at the performance of the model is to look ata Power of Segmentation summary chart. This is sometimes also referredto as a ROC curve or Lorenz Diagram. This view shows how many cumulativefraud records are identified for each level of screening.

[0295] For example, this curve indicates that the model is able toidentify approximately 60% of the total frauds (y-axis) by only lookingat the worst 10% of records as identified by the model (x-axis).Similarly, the curve shows that the worst 5% account for approximately45% of the total fraud. The top line shows how well the model performs,whereas the lower line shows how a randomly generated model performs(i.e., If one looked at 10% of the records, one would expect to identifyabout 10% of the fraud. )

[0296] Going back to FIG. 2, after the score is determined, at block 84,the address velocity file is updated with the score. Next, at block 86,apply business rules to the data. This business rules are to ensure thatregardless of the score, certain data elements are checked (e.g.,whether the address is a warm address, whether the address is aundeliverable mail address, whether social security number is validetc.) That is, create a file on this analyzed case and include in thatdata relating to whether a warm address was present, whether it was areported fraud address, or whether the address was an undeliverablemailing address. Such information may be used in analysis of otherinquiries in the future. Moreover, regardless of the score, if the newaddress or the address on an application is a warm address, then therule may be to report that as a high risk of identity theft.

[0297] Also, regardless of the fraud risk information, data relating toundeliverable mailing addresses would be useful information for thecustomer making the inquiry because sending media (e.g., checks, creditcards or the like) to an undeliverable providing address is expense tothe business and creates a risk for fraud to be committed. As such, thecustomer making the inquiry that the address is an undeliverable mailingaddress would be useful to the customer and would save the customer theexpense of mailing media to an undeliverable mailing address. Also, bynot mailing media to an undeliverable address, the customer would reducethe risk of fraud being committed with the media.

[0298] Next, at block 88, user defined parameters are applied. That is,the business making the request may have some criteria (e.g., verifysyntax of the driver's license). Each may provide information related toscore thresholds based on its tolerance for risk. Apply thoserequirements and append that information with the score and the otherinformation discussed with respect to business rules to create an outputfor sharing with the business.

[0299] At block 90, fraud alerts may be created with reason codes andtransmitted to the business entity through a user interface at block 92or a web server at block 98. The reason codes may be based on userdefined criteria or codes based on the variables used in the analysis ordata considered in the analysis. At block 91, the previous history filefor this account may also be updated. As shown in blocks 94 and 96, acase management system provides display screen functionality for thefraud alerts, management queuing functionality with operator and pendingcase tracking.

[0300] In terms of output to the customer who initiated the inquiry, inone embodiment, the output message content includes the following:Output Message Content Score First name One or more reason codes Middleinitial/name Account or reference number Last name Surname

[0301] However, the output may be provided in a other ways. Forinstance, the output may be provided by simply stating a level of riskor providing a statement of the level of risk of fraud in addition tothe score. Also, while the information related to the level of risk offraud may be communicated via a data line, the internet, a facsimile orby voice (including an operator simply calling the customer with an oralreport of the risk analysis).

[0302] Also, the web server (block 98) may be used by the customer toprovide confirmed fraud data, which would be used to update the clientfraud data file for future use.

[0303] In operation, the business/customer makes an inquiry to assess alevel of risk of fraud on a new application. Data is appended to theaddress provided on the new application and the reference address (froma third party source such as a credit report or this information may beon the application). A score is derived using the model described above.The result may be provided real-time or via batch processing. In eithercase, the results maybe provided to the customer in any commerciallypracticable method including, but not limited to, a data line, theinternet, a facsimile or by voice (electronic or human voice). Customersmay establish internal policies and procedures for handling accountsbased on the score.

[0304] The system described with reference to FIG. 2 is a client-serversystem. The client transmitted the request and input information to aremote server for processing. FIG. 8 shows the logical operations usedin a system that is hosted at the client site. That is, the customerhosts the system for determining the risk of fraud in a new applicationprocess or on an account takeover situation.

[0305] As shown in FIG. 8, most of the logical operations are the sameas the operations described in FIG. 2. However, one difference is thatthe client hosts the software to perform the analysis to create thescore. Also, depending on the level of resources committed by the clientmay not access all the demographic data described in the processdescribed with respect to FIG. 2. For instance, the client hostedsolution may be limited to Zip code plus +4 data variables. As such, themodel may not be as rigorous as the model as described with respect toFIG. 2. This type of system may be provide a risk analysis that whileless rigorous useful in some situations.

[0306] FIGS. 8-15 show alternatives to the basic method described withrespect to FIG. 2 for use in account takeover situations. That is, thebasic logical operations of appending information to the addresses andcalculating a score as described with references to FIGS. 2-7 would beused. As described with respect to FIG. 2, in determining fraud withrespect to a new application the reference address is usually linked tothe applicant's identity, not necessarily the address on the newapplication form. As described above, usually, in a new applicationsituation, the reference address is obtained from a credit bureau.However, in the takeover situation, the old address or the FROM addresswould be the reference address and the address to which it is changed tois the new address (e.g., the TO address). A customer may want eachchange of address analyzed to determine a risk of fraud and match tosubsequent media requests, a customer may want the change of addressanalyzed only when such a request is matched to a media request, or aclient may want each change of address analyzed for risk of fraud. Eachof these situations will be discussed in turn with reference to FIGS.7-13.

[0307]FIGS. 9, 11, and 12 show the logical operations for an embodimentin which an analysis is performed for each address change and a match ismade for subsequent media requests. As shown in FIG. 9, 11, and 12, thelogical operations for analyzing the risk of fraud is the same as thatdescribed and shown in FIGS. 2-7. That is, information is appended tothe old address (the address before the change of address request)—whichfor takeover situation would be considered a reference address—and tothe new address (i.e., the address it was changed to). Then, a scorewould be derived using the model described with reference to FIG. 6.However, as shown in block 300, there is an address change file thatmaintains the change in address for a particular account. Also, as shownin block 302, a media request file is maintained. A media request mayinclude a request for financial instruments such as checks or creditcards. In addition, as shown in block 304, a scored history file ismaintained to store the score based on the analysis done (consistentwith the analysis as described in FIG. 2) for an account in which therewas a change in address. When a media request is made, it is checkedagainst the scored history file. If there is a match in terms of anaddress change in the same account on which the media request is made,business rules—which may be supplied by the customer—are used todetermine whether to honor the media request. Some factors that may beused include the time lapse between the media request and the addresschange and the risk of identity theft fraud as determined by thescoring.

[0308] As shown in FIGS. 10, 11, and 12, customers may only want anaddress change analyzed for risk of fraud if it is followed with a mediarequested within a period of time of the address change. It should benoted that the media request may be prior to the address change request.In this situation, as shown in block 320, a media request file ismaintained storing media request information on accounts. Also, as shownin block 322, a 90 day rolling address change file is maintained. Whilein one embodiment the rolling address change file has a 90 day window,the rolling address file is not limited to a 90 day window but rathermay be constructed to any length of time. As shown in block 324, adetermination is made as to whether a media request matches a change inaddress request. If so, then the analysis to score the change in addressas described with respect to FIG. 2-7 is performed (as shown in FIGS.10-12).

[0309] FIGS. 13-15 show the process described with respect to FIGS. 2-7being applied in the case when each address change is scored, but noadditional steps are performed with respect to media requests.

[0310] As with the process described with respect to new applications, anumerical score derived from this process may be used to assess risk.However, in other embodiments, the score may be considered along withdata analyzed based on the business rules and client-defined parametersto make as assessment of the risk of identity theft. This informationmay be provided in any number of ways including voice, data line,facsimile. Also, the processing for takeover accounts may be done inbatch, real-time, and in a client-server structure where the server isin a remote location or in a structure where the system is hosted at theclient site.

[0311] There are several purpose for which this invention serves. Apurpose of this invention is to prevent fraud losses associated withaccount takeover. An additional purpose of the invention is to preventfraud losses that accrue from criminals submitting fraudulent creditaccount applications to financial institutions where the criminalassumes the credit identity of an unknowing person/victim. If theaccount is approved, the criminal receives the credit card, debit card,checks or merchandise or services at a street address other than that ofthe victim.

[0312] An additional purpose of this invention is to reduce fraud lossesin a form of account takeover that is associated with “over night”emergency requests for the replacement of items such as credit/debitcards, personal checks, traveler check replacements. There is a businessand competitive need for financial institutions to provide emergencyreplacement services. Criminals can affect an account take over byexploiting the Emergency replacement process through requesting that anunauthorized replacement be sent to an address for which they haveaccess. The criminal receives the replacement and commits unauthorizeduse fraud. Emergency type credit and debit card replacements are oftenrequested to be sent to an address other than the address of record. Afinancial institution has a short processing window to establish thelegitimacy of these requests. This invention would help to identifypotentially fraudulent requests using the analysis described above.

[0313] Another purpose of this invention is to reduce fraud losses whereproduct or service fulfillment or billing activities involve a streetaddress and the effects of fraudulent addresses that would be negativeto business interests. This can occur in the retail environmentparticularly in non-face to face transactions. In addition to reduceddirect fraud losses through superior detection, the purpose of thisinvention is to reduce overhead and infrastructure expenses associatedwith low false positive rates, reduced infrastructure expenses that arenecessary to process fraudulent claims and an improved customerexperience.

[0314] As can be seen by the above Figures, different factors may beconsidered depending upon the particular request that is received, andmay be dynamically determined as to what factors should be consideredfor a given request. For instance, some requests may only utilizecertain factors, while other requests may involve checks of all factorsin providing a score.

[0315] Hence, it can be seen that embodiments of the present inventionprovide various systems and methods that can be used for detecting fraudin account requests.

[0316] Embodiments of the invention can be embodied in a computerprogram product. It will be understood that a computer program productincluding one or more features or operations of the present inventionmay be created in a computer usable medium (such as a CD-ROM or othermedium) having computer readable code embodied therein. The computerusable medium preferably contains a number of computer readable programcode devices configured to cause a computer to affect one or more of thevarious functions or operations herein described.

[0317] While the methods disclosed herein have been described and shownwith reference to particular operations performed in a particular order,it will be understood that these operations may be combined,sub-divided, or re-ordered to form equivalent methods without departingfrom the teachings of the present invention. Accordingly, unlessspecifically indicated herein, the order and grouping of the operationsis not a limitation of the present invention.

[0318] While the invention has been particularly shown and describedwith reference to embodiments thereof, it will be understood by thoseskilled in the art that various other changes in the form and detailsmay be made without departing from the spirit and scope of theinvention.

What is claimed is:
 1. A method for assessing a risk of fraud, comprising: receiving at least information relating to a first address relating to one of an account holder or an applicant; receiving information relating to a second address; and measuring demographic differences between the first and second addresses.
 2. The method of claim 1, further comprising analyzing whether the first address is a warm address.
 3. The method of claim 1, further comprising analyzing whether the first address is a undeliverable mail address.
 4. The method of claim 1, further comprising calculating a score indicative of a level of risk of identity theft fraud.
 5. The method of claim 4, wherein the act of calculating a score comprises using a mathematical model that includes weighting factors for one or more pre-defined variables used in the model.
 6. A method for assessing a risk of identity theft fraud with respect to new applications, comprising: receiving first address information relating to an applicant for an account; and using demographic data relating to the address information.
 7. The method of claim 6, further comprising receiving a reference address.
 8. The method of claim 7, wherein act of receiving a reference address includes receiving reference address information from a third party database
 9. The method of claim 7, wherein the act of receiving a reference address includes receiving reference address information as part of input data provided in making a request to assess a risk of identity theft fraud.
 10. The method of claim 7, further comprises measuring at least one difference in demographic data appended to the first and reference address information.
 11. The method of claim 10, further comprising calculating a score indicative of a risk of identity theft.
 12. The method of claim 1, further comprising reporting an assessment of a risk of identity theft based at least in part on the score.
 13. The method of claim 12, further comprising analyzing negative data for the first address.
 14. The method of claim 13, wherein the act of assessing risk of identity theft is based on the score and analysis of the negative data.
 15. A method for assessing a risk of fraud, comprising: using demographic attributes of street addresses to predict the risk of fraud, wherein the act of using comprises analyzing differences between demographic attributes of the addresses.
 16. The method of claim 15, further comprising reporting the assessment of fraud.
 17. The method of claim 16, wherein the act of assessing a risk of fraud comprises assessing the risk of identity theft fraud due to account takeover.
 18. The method of claim 16, wherein the act of assessing a risk of fraud comprises assessing the risk of identity theft fraud perpetrated through a new application.
 19. The method of claim 17, further comprising receiving information relating to a media request.
 20. The method of claim 19, further comprising assessing risk of identity theft when the request for media is made on an emergency basis.
 21. The method of claim 15, wherein the act of assessing risk of fraud comprises assessing a risk of identity theft in fulfillment activities.
 22. The method of claim 15, further comprises coupling negative and positive information with address demographic attributes to assess the risk of identity theft fraud.
 23. A method for detecting a risk of identity theft fraud comprising: combining warm address, known fraud address information, USPS Deliverable Address File, NCOA files with address specific, single point, demographic information; and coupling differential information relating to the addresses to predict a risk of fraud for at least one of account takeover new account application and fulfillment fraud.
 24. A system for assessing a risk of fraud, comprising: a processor; memory; computer instructions operable by the processor to append data to at least one variable used in assessing a risk of identity theft fraud; computer instructions operable by the processor to analyze differences in demographic data for two different street addresses; computer instructions operable by the processor to calculate a score indicative of a level of risk of fraud; and computer instructions operable by the processor to output an assessment of a risk of level of fraud.
 25. The system of claim 24, wherein the computer instructions to calculate a score comprise instructions to calculate a score indicative of a risk of fraud using a formula of the form Y=A+B1*x1+B2*x2+B3*x3 . . . +Bn*xn where Y is the dependent or outcome variable is the result used to predict the risk of identity theft fraud, A is a constant value, B1. . . Bn are the coefficients or weights assigned to the independent variables, and x1 . . . xn are the independent variables.
 26. A method for determining whether an account request for a change of address from an applicant involves fraud, comprising: receiving a request to change an address of an account, said request including an old address and a new address of the applicant; obtaining demographic data based on the old address of the applicant; obtaining demographic data based on the new address of the applicant; calculating a differential between the demographic data based on the old address of the applicant and the demographic data based on the new address of the applicant; and calculating a score for the request based on the differential, the score indicating whether the request may involve fraud.
 27. A method for determining whether an account request from an applicant for media involves fraud, comprising: receiving a request to provide media to the applicant relating to an account; determining whether the account has information relating to change of addresses, said information including an old address and a new address of the applicant; obtaining demographic data based on the old address of the applicant; obtaining demographic data based on the new address of the applicant; calculating a differential between the demographic data based on the old address of the applicant and the demographic data based on the new address of the applicant; and calculating a score for the request based on the differential, the score indicating whether the request for media may involve fraud.
 28. A method for determining whether an account request from an applicant for media involves fraud, comprising: receiving a request to provide media to the applicant relating to an account, said request including a current address of the applicant and a shipping address to which to ship said media; obtaining demographic data based on the current address of the applicant; obtaining demographic data based on the shipping address of the applicant; calculating a differential between the demographic data based on the current address of the applicant and the demographic data based on the shipping address of the applicant; and calculating a score for the request based on the differential, the score indicating whether the request for media may involve fraud.
 29. A system for processing account requests from applicants, comprising: one or more inputs for receiving account requests from one or more business entities, each of said account requests including an address of an applicant; an interface for transmitting said addresses to an address data service to obtain demographic data therefrom; and a scoring module for calculating a score for the request based on the demographic data, the score indicating whether the request may involve fraud.
 30. A method for providing information assessing a risk of fraud, comprising: analyzing two different street addresses and demographic data associated with the street addresses; based, at least in part on the analysis, providing an assessment of a risk of fraud.
 31. The method of claim 30, wherein act of providing an assessment of a risk of fraud comprises providing a score and at least one reason.
 32. The method of claim 30, where in the act of providing an assessment of risk comprises sending the assessment via an electronic message.
 33. The method of claim 30, where in the act of providing an assessment of risk comprises sending the assessment via voice. 